A lot of services that use SMS for new account verification also block numbers from non-mobile providers, even ones that haven't been used before. I tried using a Twilio number as a Google-Voice-like service where it would forward texts to my actual number, but many services refused to accept the Twilio number.

I want to use virtual numbers to avoid the spammers. There have been plenty of companies that had pseudo dodgy signup (win a chance for a dream trip to somewhere) where you had to give up your phone number (supposedly so they could call you). Lots of time I get spam calls that claim I gave permission for them to call me. So a temporary forwarding number hides me. I use my google voice number for this and it does a good job of noticing lots of spammers (but not all).

Only from those providers that explicitly disclose this fact; I provide API-driven phone numbers (from a carrier partner) and those show up as the carrier's numbers on every lookup tool, with no way to distinguish them from numbers allocated to SIMs directly. I actually really like this fact and will make sure it stays that way.

Nextgrid, though at the moment it's still a work in progress (building an entire telco core network from scratch by yourself takes a looooong time), but in the meantime you can get the numbers from my carrier partner directly: https://aa.net.uk/telecoms.html

Those are UK mobile numbers, with SIP for voice and webhooks for texts, and all lookup tools I've found recognise their numbers as "Three" (a mobile carrier in the UK) mobile numbers.

I am not actually sure how those guys interconnect to Three, it could even be literally a bunch of GSM modems with real SIMs in it. My long-term plan is to get rid of the middleman and become a carrier myself (get a number range allocated by OFCOM, UK's telco regulator) and offer both SIMs and API-driven numbers (with no way of distinguishing which is which from the outside).

"VoIP" is a generic term in this case as they mean numbers that can be rented online by a customer directly, with little to no identity checks - sadly those are often used for fraud, though outright denying service on this basis alone is a dick move IMO.

I don't think we need a system of phone numbers at all - IPv6 by itself can already do that.

The biggest roadblock there is that the scammy telco industry's entire business model is based on charging through the ass for what is essentially a 8kbps voice channel. Doing calls via IP would cut that revenue stream and would put a lot of irrelevant people out of a job so it'll be very hard to succeed, though I fully support the idea - it's complete heresy that I can download a 1GB file across the Atlantic for pretty much free but a 12 hour call that would total maybe 40MB would cost a ton.

I get your point but the phone companies wouldn't be able to survive, and when I talk to people on wifi it's never as good as a phone call. They must be using dedicated routing or something, even though I think we are past the world of direct circuits.

> I get your point but the phone companies wouldn't be able to survive

Do we need them to survive? They can and should go the way of the dodo and leave place for ISPs instead.

> and when I talk to people on wifi it's never as good as a phone call

That's a side-effect of crap Wi-Fi gear, but can be resolved by placing the call over LTE and using stuff like MPTCP to combine both the Wi-Fi and LTE connection. In fact, VoLTE is essentially SIP (which is IP-based) over LTE, so there's a good chance you're already using an IP system and not realising it, which I guess proves the point that it's good enough if not better than legacy circuit-switched calls.

It's not on the level of never having to reuse a number, but arguably we've already seen something similar to IPv4->IPv6 (restructuring/numbering to add capacity) in the UK through PhONEday/Big Number Change. Expanding that out to never having to reuse a number, especially now that most people don't have to remember phone numbers (or at least far fewer), doesn't seem that difficult (at least on the numbering end; I don't know about the engineering side of that).

A CVS half a continent away from has been calling me thinking that I am the previous owner of this phone number for the last six months or so. First they were leaving voicemails that I need to pick up a prescription and that they will return it in a day and stop calling me. But they have been calling every few days or so ever since.

That's always been the case. The problem is that, especially over the last couple of decades, people have built lots of systems with a central assumption being that phone numbers are uniquely tied to individuals.

So, instead of fixing those systems, I guess the idea is to adapt phone numbers to the faulty assumptions made about them.

You can't really intercept SMS with this, you know that, right? You can't just write any existing number and start to receive messages sent to that number. You can only use this to receive messages sent to phone numbers assigned to Mailinator, and frankly, if you're using their numbers as a 2nd auth factor, you kinda deserve what you get. It's no different than signing up for any service with a Mailinator email address.

The only bad scenario was if they somehow got hold of real mobile numbers that real people were actually using before but that were lapsed and got recycled, without those people removing the numbers from, say, their Gmail accounts.

The point I was trying to make is one SMS number does not equal a phone with a paid, credit checked, account behind it. Making it easy to create SMS numbers will help expose the weaknesses of using them for 2fa.

Many people have access to your SMSs. One bad actor at your phone provider, the sms gateway, spoofing your sim, a bad app, or someone casually observing your lock screen are a couple I can think off have, but I'm sure the security experts know many more ways than I do.

Intercepting SMS is incredibly easy. Not with this tool, but via other methods. SMS is broken and should never be used for any type of sensitive communication, be it 2fa or pics you don't want to see online.

> Can you elaborate? SS7 is signaling. You can't request a Telecom provider to just start send you all someones calls and texts via SS7.

I was simplifying, but how roaming works is that on every call a mobile number from the visited network is assigned to the SIM, and the host network is instructed to send the call there; in the case of an attacker I expect them to be able to use this mechanism to send calls anywhere they want.

They could also most likely fake USSD which is I believe used behind the "Call forwarding" toggle in your phone's settings.

There are plenty of SS7-related demos & presentations posted here on HN, I suggest you use the search and find them, the people making those have much more experience than me in the field and you're better off with then rather than my half-assed explanations, but the point is, call and text interception is possible, among other nasty things (silently tracking a phone' approximate location, DoS, etc).

I recall reading long ago that SMS messages were a hack built on top of the unencrypted "paging" channel in the protocol. They're received and "ignored" by all phones near the intended recipient.

IIRC, the paging channel is a broadcast channel that was originally used to send short message to a handset to advise them of an incoming call and to request a private channel to receive it. It had lots of excess capacity so someone had the idea of pushing short text messages over it.